A threat actor group called Icarus has breached Klue, a competitive intelligence platform, by exploiting integrations linked to Salesforce, compromising data from hundreds of organisations including security firms. The attack follows a pattern of extortion campaigns targeting SaaS platforms through third-party integration weaknesses. The inclusion of security vendors among the victims raises particular concerns about potential downstream exposure of sensitive client data.

Security Architect’s Take: Audit all Salesforce-connected integrations and OAuth grants immediately — revoke any third-party app permissions that are unused or overly permissive. Review data-sharing agreements with SaaS vendors like Klue to understand what CRM or sales intelligence data they hold on your behalf, and ensure your vendor risk assessments include integration-level attack surface analysis.

Original advisory: Security shops among the ‘hundreds’ of Klue hack victims